[FFmpeg-cvslog] avcodec/012v: redesign main loop
Michael Niedermayer
git at videolan.org
Tue Mar 10 23:56:39 CET 2015
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Tue Mar 10 19:18:34 2015 +0100| [48df30d36c3ca360c407d84f96749888d1fbe853] | committer: Michael Niedermayer
avcodec/012v: redesign main loop
Fixes out of array accesses
Fixes: ffmpeg_012v_crash.ts
Found-by: Thomas Lindroth <thomas.lindroth at gmail.com>
Reviewed-by: Thomas Lindroth <thomas.lindroth at gmail.com>
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=48df30d36c3ca360c407d84f96749888d1fbe853
---
libavcodec/012v.c | 82 +++++++++++++++++++++++++----------------------------
1 file changed, 39 insertions(+), 43 deletions(-)
diff --git a/libavcodec/012v.c b/libavcodec/012v.c
index 7526e8f..b87551e 100644
--- a/libavcodec/012v.c
+++ b/libavcodec/012v.c
@@ -38,7 +38,7 @@ static av_cold int zero12v_decode_init(AVCodecContext *avctx)
static int zero12v_decode_frame(AVCodecContext *avctx, void *data,
int *got_frame, AVPacket *avpkt)
{
- int line = 0, ret;
+ int line, ret;
const int width = avctx->width;
AVFrame *pic = data;
uint16_t *y, *u, *v;
@@ -67,45 +67,45 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data,
pic->pict_type = AV_PICTURE_TYPE_I;
pic->key_frame = 1;
- y = (uint16_t *)pic->data[0];
- u = (uint16_t *)pic->data[1];
- v = (uint16_t *)pic->data[2];
line_end = avpkt->data + stride;
+ for (line = 0; line < avctx->height; line++) {
+ uint16_t y_temp[6] = {0x8000, 0x8000, 0x8000, 0x8000, 0x8000, 0x8000};
+ uint16_t u_temp[3] = {0x8000, 0x8000, 0x8000};
+ uint16_t v_temp[3] = {0x8000, 0x8000, 0x8000};
+ int x;
+ y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
+ u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
+ v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
+
+ for (x = 0; x < width; x += 6) {
+ uint32_t t;
+
+ if (width - x < 6 || line_end - src < 16) {
+ y = y_temp;
+ u = u_temp;
+ v = v_temp;
+ }
+
+ if (line_end - src < 4)
+ break;
- while (line++ < avctx->height) {
- while (1) {
- uint32_t t = AV_RL32(src);
+ t = AV_RL32(src);
src += 4;
*u++ = t << 6 & 0xFFC0;
*y++ = t >> 4 & 0xFFC0;
*v++ = t >> 14 & 0xFFC0;
- if (src >= line_end - 1) {
- *y = 0x80;
- src++;
- line_end += stride;
- y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
- u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
- v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
+ if (line_end - src < 4)
break;
- }
t = AV_RL32(src);
src += 4;
*y++ = t << 6 & 0xFFC0;
*u++ = t >> 4 & 0xFFC0;
*y++ = t >> 14 & 0xFFC0;
- if (src >= line_end - 2) {
- if (!(width & 1)) {
- *y = 0x80;
- src += 2;
- }
- line_end += stride;
- y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
- u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
- v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
+
+ if (line_end - src < 4)
break;
- }
t = AV_RL32(src);
src += 4;
@@ -113,15 +113,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data,
*y++ = t >> 4 & 0xFFC0;
*u++ = t >> 14 & 0xFFC0;
- if (src >= line_end - 1) {
- *y = 0x80;
- src++;
- line_end += stride;
- y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
- u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
- v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
+ if (line_end - src < 4)
break;
- }
t = AV_RL32(src);
src += 4;
@@ -129,18 +122,21 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data,
*v++ = t >> 4 & 0xFFC0;
*y++ = t >> 14 & 0xFFC0;
- if (src >= line_end - 2) {
- if (width & 1) {
- *y = 0x80;
- src += 2;
- }
- line_end += stride;
- y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
- u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
- v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
+ if (width - x < 6)
break;
- }
}
+
+ if (x < width) {
+ y = x + (uint16_t *)(pic->data[0] + line * pic->linesize[0]);
+ u = x/2 + (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
+ v = x/2 + (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
+ memcpy(y, y_temp, sizeof(*y) * (width - x));
+ memcpy(u, u_temp, sizeof(*u) * (width - x + 1) / 2);
+ memcpy(v, v_temp, sizeof(*v) * (width - x + 1) / 2);
+ }
+
+ line_end += stride;
+ src = line_end - stride;
}
*got_frame = 1;
More information about the ffmpeg-cvslog
mailing list